On Tue, Dec 8, 2020 at 5:09 PM Derek Atkins <derek(a)ihtfp.com> wrote:
Hi Didi,
On Tue, December 8, 2020 10:03 am, Yedidyah Bar David wrote:
> On Tue, Dec 8, 2020 at 4:25 PM Derek Atkins <derek(a)ihtfp.com> wrote:
>>
>> Hi,
>>
>> I'm running a single-host, hosted-engine Ovirt deployment, version
>> 4.3.10
>> (upgraded from 4.0->4.1->4.2) and it's complaining that my host cert
>> does
>> not have a SubjectAltName.
>>
>> If I try to use pki-enroll-request.sh to rebuild the host cert and
>> follow
>> the instructions to add a --san, I get an error:
>>
>> /usr/share/ovirt-engine/bin/pki-enroll-request.sh --name=host.na.me
>> --san=host.na.me
>
> Please try with '--san=DNS:host.na.me'.
AHA, thank you... Thank worked.
>> Using configuration from openssl.conf
>> Check that the request matches the signature
>> Signature ok
>> The Subject's Distinguished Name is as follows
>> organizationName :PRINTABLE:'My Org Name'
>> commonName :PRINTABLE:'host.na.me'
>> ERROR: adding extensions in section v3_ca_san
>> 139875647600528:error:2207507C:X509 V3
>> routines:v2i_GENERAL_NAME_ex:missing value:v3_alt.c:531:
>> 139875647600528:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error
>> in
>> extension:v3_conf.c:95:name=subjectAltName, value=host.na.me
>> Cannot sign certificate
>>
>> Am I using this script incorrectly?
>
> You are using it well. --san argument is passed as-is to openssl's
> 'subjectAltName', which requires a prefix to tell its type. Search the
> net for 'openssl subjectAltName' for other examples.
Is there any chance this could be added to the --help output?
An actual example would have been very useful.
Frankly, I'd prefer people (like you) that need to use these
utilities manually, to search the net if they have problems,
than spending hours debating about how long --help should be,
what should be included in it and what not, what link we might
provide for further reference (and please note that I didn't
include such a link in my original reply - simply because I
failed to find one that seemed "most suitable"), etc. That said,
patches are welcome! If you think you can improve the current
text in a conflict-free way, which everyone will agree to, please
go ahead and push a patch! :-)
BTW: What I personally do, is to search the code and/or relevant
logs to see what other tools (the engine, engine-setup, in this
case) do, as "reference examples".
Best regards,
--
Didi